The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 67

Friday 18 March 1994

Contents

o Hazards on the Superhighway
Erskine Widemon
o The RISKS of whale removal
Tom Mahoney via Mark Stalzer
o The Handmaid's Tale, Giuliani-Style
Chris Kreussling
o IRS Surveillance
J. Cooper
o Risk Conference - Two for the price of one!
Patrick J. O'Toole
o 911 (again)
Richard Johnson
o Re: Clipper Compromised
Dorothy Denning
o It's Apple and it's grammar.
John Oram
o L.A. phone fire (a.k.a. "Risks of believing ...)
Lauren Weinstein
o RSAREF/RIPEM Free and Legal Worldwide
Jim Bidzos
o CERT ADVISORY - MD5 Checksums
CERT
o Info on RISKS (comp.risks)

Hazards on the Superhighway

Erskine Widemon <tzw2446@ddrw.dla.mil>
Fri, 18 Mar 94 10:32:52 PDT
The following incidents were mentioned in the March 14, 1994 Modesto Bee.

- Laurie Powell joined an on-line service to discuss the joys and pitfalls of
raising children.  An elusive cyberstalker called Vito has threatened her
life, sent her pornographic e-mail and may be following her around the
country.

- Larry Greenberg of New York could have lost his job when someone sent his
boss a fax from a phony law firm accusing him of being a convicted rapist and
child molester.  Greenberg suspects the fax was sent by an on-line foe.

- A 14-year-old New Jersey girl was forced off the network last month after
continuing to receive unwanted computer-generated sexual images of young boys.

- Evelyn McHugh, a New Jersey housewife, discovered a Chicago man was sending
obscene messages in her name.

- A 14-year-old Boston boy disappeared after running away to meet a man in
Texas who sent him on-line love letters and airline tickets.

Erskine Widemon


The RISKS of whale removal

<stalzer@macaw.hrl.hac.com>
Fri, 18 Mar 1994 08:33:48 +0800
This has absolutely nothing to do with computers, but it is heartening to know
that our industry isn't the only one that does foolish things. -- Mark

----- Begin Included Message -----

The Farside comes to life in Oregon.

I am absolutely not making this incident up; in fact I have it all on
videotape.  The tape is from a local TV news show in Oregon, which sent a
reporter out to cover the removal of a 45-foot, eight-ton dead whale that
washed up on the beach.  The responsibility for getting rid of the carcass was
placed on the Oregon State Highway Division, apparently on the theory that
highways and whales are very similar in the sense of being large objects.

So anyway, the highway engineers hit upon the plan--remember, I am not making
this up--of blowing up the whale with dynamite. The thinking is that the whale
would be blown into small pieces, which would be eaten by seagulls, and that
would be that.  A textbook whale removal.

So they moved the spectators back up the beach, put a half-ton of dynamite
next to the whale and set it off.  I am probably not guilty of understatement
when I say that what follows, on the videotape, is the most wonderful event in
the history of the universe. First you see the whale carcass disappear in a
huge blast of smoke and flame.  Then you hear the happy spectators shouting
"Yayy!" and "Whee!" Then, suddenly, the crowd's tone changes. You hear a new
sound like "splud."  You hear a woman's voice shouting "Here come pieces
of...MY GOD!" Something smears the camera lens.

Later, the reporter explains: "The humor of the entire situation suddenly gave
way to a run for survival as huge chunks of whale blubber fell everywhere."
One piece caved in the roof of a car parked more than a quarter of a mile
away.  Remaining on the beach were several rotting whale sectors the size of
condominium units.  There was no sign of the seagulls who had no doubt
permanently relocated to Brazil.

This is a very sobering videotape.  Here at the institute we watch it often,
especially at parties. But this is no time for gaiety.  This is a time to get
hold of the folks at the Oregon State Highway Division and ask them, when they
get done cleaning up the beaches, to give us an estimate on the US Capitol.

Tom Mahoney, #9,  Coast Guard Sqn.1/Div.13 CatLo

----- End Included Message -----


The Handmaid's Tale, Giuliani-Style

Chris Kreussling <70700.266@CompuServe.COM>
18 Mar 94 09:26:45 EST
The following appeared in the New York Times on Tuesday, March 1, front page
of the Metro Section (page B1). I haven't seen reference to this in Risks
digests since then. And if there's been anything about it since in the local
press, I've missed it.

My comments and questions:
- Anyone know more about this than appeared in the Times?
- Those with the *technical* ability to affect Board of Ed funding had no
*legal* authority to do so. The design of the system - and its security - does
not reflect the legal and political boundaries of the organizations it's
supposed to serve.
- Probably easy to overlook one budget code out of "399 different budget
categories." Unless they were informed by the administration, the agency and
personnel who actually installed the change probably didn't know its full
impact. They were "just following orders" ...
- The funds were not just "frozen" they were "transferred" to another account.
I think the technical term is "stealing"?  - The Mayor, his administration,
and the City Comptroller violated state law.  Are there computer-specific laws
they may also have broken? Wire fraud, for example?

    Giuliani Tries Electronic School-Spending Freeze, by Josh Barnabel

    Without warning the Board of Education, the Giuliani administration
  last week loaded software on a computer accounting system to block spending
  on school supplies. But the administration reversed the spending freeze
  after the Board considered legal action ...
    School officials said they discovered that the $68 million spending
  freeze had been imposed only when budget analysts ... noticed that spending
  authorizations were rejected by the city's accounting system for lack of
  funds ...
    At the direction of the Mayor and the city's Comptroller, the
  [Financial Information Services Agency] loaded new software on the city's
  accounting system after business hours on Thursday. The software sent
  instructions to the city's computers blocking spending of 90 percent of the
  available funds in 399 different budget categories for all city agencies,
  from supplies and materials, to out-of-town travel, to temporary service and
  consulting contracts.
    The software in effect froze the school system's checking accounts,
  and transferred the available balances into reserve accounts controlled by
  the Mayor ...
    The board receives less than half its money from city taxes, and is
  not required to submit its detailed line-item budget to the Mayor or the
  City for approval ...


IRS Surveillance

<j.cooper6@genie.geis.com>
Fri, 18 Mar 94 08:12:00 BST
>From COMMERCE BUSINESS DAILY, 940317 (Government notice of bids)

< -------< Department of the Treasury (DY), Internal Revenue Service,
Constellation Centre, 6009 Oxon Hill Rd., Rm. 700, M:P:O:S Oxon Hill,
 MD 20745

< 36 -- REMOTE DIAL NUMBER RECORDERS

SOL IRS-94-0051 POC Shirley Campbell, Contract Specialist, (202) 283-1144.

The Internal Revenue Service intends to procure 28 remote telephone data
collection units, including software. Capable of collecting and storing
information from the target line on at least 700 telephone calls (time of
call, length of call, number dialed, caller ID, call progress tone
detection, etc.). The unit must be no larger than 5.9x1.5x3.2 inches.

The unit is controlled and records are transmitted through the dial- up line
through a computer modem. The instrument must be transparent to the target
line. The unit will be powered through the dial-up line.

100% Small Business Set-Aside. Telephone requests for the solicitation
package will not be accepted. (0075)

   [Great for identifying anonymous callers who request information
   on whether illegal acts must be declared, and other such revealing
   queries?  PGN]


Risk Conference - Two for the price of one!

Patrick J. O'Toole <potoole@consultant.win.net>
Thu, 17 Mar 1994 16:11:47
I recently registered for the upcoming Software Engineering Institute (SEI)
Conference on Software Risk and provided my Master Card information for
billing purposes.  About a week later, I received a confirmation letter and
receipt from the SEI; two days later, I received a second confirmation letter
and receipt.

Since the registration and payment numbers were different on the two receipts,
I suspected a double booking/billing may have occurred, and called the SEI to
rectify the problem.  After looking into the situation, the SEI informed me
that I had tripped a bug in a program which resulted in my being double
registered, but *not* double billed.  They assured me that I was the only one
affected, and that the problem had indeed been resolved.

Today I received two separate invitations to participate in an upcoming
Software Engineering Process Group meeting.  I am not planning to attend this
particular event, but if anyone is interested in a "buy one, get one free"
offer, please give me a call!


911 (again)

Richard Johnson <rdj@plaza.ds.adp.com>
Mon, 14 Mar 1994 07:37:53 -0800 (PST)
Yeah, we've beaten 911 problems to death historically, but it's a change from
Clipper.  :=)

I have a friend.  His family and mine are quite close.  We call each other's
houses daily, sometimes multiple times in one day.  His phone number begins
591-1xxx.

As you guessed, about once a month, something happens with the phone company
switching, and we get 911--as a wrong number.  So far the emergency response
people have been quite nice about this, and I haven't seen any penalty-type
charges on our phone bill.

The risks:
Aside from the obvious one, that we're discussing a safety-critical system, is
the sheer volume of calls this represents.  Ten thousand different phone
numbers could get automatically diverted to 911.  If we figure 500 hours each
month when people are awake and calling (that's 16 a day), and each one gets
redirected once a month, then 911 must be seeing a wrong number every three
minutes!

No wonder they're so nice about it...

Richard Johnson    (rdj@plaza.ds.adp.com)       (richard@agora.rain.com)


Re: Clipper Compromised

Dorothy Denning <denning@chair.cosc.georgetown.edu>
Fri, 18 Mar 94 09:52:54 EST
RISKS-15.66 included a brief from "Network World," which referenced a story in
the "Security Insider Report" suggesting that Aldrich Ames could have had
access to Clipper's classified SKIPJACK algorithm or Clipper keys.  A New York
Times reporter asked me about this rumor a few weeks ago, and the whole idea
struck me as so obviously absurd that I could hardly stop laughing.
Nevertheless, I did check it out with people who would know.  They confirmed
what I thought.  The whole rumor is total nonsense.

What I don't understand is why people persist is spreading rumors and
speculation that have no basis and don't even make sense.

Dorothy Denning


It's Apple and it's grammar.

John Oram <oramy92@halcyon.com>
Fri, 18 Mar 1994 00:24:57 -0800
This was in the TidBITS newsletter (#217/14-Mar-94). Evidently the
AppleScript creators  don't read this newsgroup...

>**John Baxter** <jwbaxter@pt.olympus.net> writes:
>  I've run into something that grammar mavens may find interesting.
>  Consider this correct [English version] AppleScript code:
>
>  tell word 4 of paragraph 2 of document 1 of application
>   "Scriptable Text Editor"
>    get it's text
>  end tell
>
>  Here, Apple has managed to make AppleScript syntax so English-like
>  that it commits the all-too-common mistake of using "it's" instead
>  of "its" as the possessive.
>
>  You can of course also write that statement as:
>
>    get the text of it
>
>  That sounds terribly stilted, but at least avoids the incorrect
>  use of the contraction in place of the possessive. One of the
>  amusing things is that Apple has the potential of running into
>  such problems in each language for which they provide an
>  AppleScript dialect.


L.A. phone fire (a.k.a. "Risks of believing all news reports...")

Lauren Weinstein <lauren@vortex.com>
Thu, 17 Mar 94 21:02 PST
> From: "George Feil" <feil@sbcm.com>
> A news bulletin just in: A fire in a Pacific Bell switching complex
> has knocked out local phone service to most of Los Angeles, CA.

The fire's impact was considerably overstated by press accounts.  It
occurred in the downtown L.A. "Madison" C.O. complex (in particular,
LSAN-0470T), which is one of several downtown high-rise switching centers.
The fire knocked out primary and secondary power supplies that (unlike many
of the other supplies in the building, apparently) were co-located.

Failure of SS7 links caused disruption of interoffice service for
customers whose local subscriber lines were served by that office,
and wider disruption of 911 service throughout a broader portion
of the L.A. area, since the citywide 911 center is downtown.
There was also apparently some limited long-distance
access problems to some areas for some carriers.

Media and local telephone operators quickly began publicizing local
direct dial emergency numbers to offset the 911 failure.  There were
no reports that I heard of any serious problems relating to the 911
disruption.  Some operations were switched to secondary facilities
in other areas.

Outside of the 911 problems, most areas of the city and the surrounding
metro area (except the immediate downtown area served by Madison) noticed
few obvious effects.

--Lauren--


RSAREF/RIPEM Free and Legal Worldwide

Jim Bidzos <jim@RSA.COM>
Fri, 18 Mar 94 03:32:48 PST
For more info, contact Kurt Stammberger, RSA Data Security, Inc. 415/595-8782.
To download RSAREF and RIPEM, send any message to rsaref@rsa.com or ftp from
msu.edu

RSA DATA SECURITY ANNOUNCES DIGITAL SIGNATURE SOFTWARE THAT IS FREE AND LEGAL
WORLDWIDE

Information superhighway gets free tool to authenticate information;
an answer to Vice-president Gore's concerns over Internet break-ins

         ---------------------------------------------------------

Redwood City, Calif. (March 21, 1994) - RSA Data Security, Inc.  announced
today a first: digital signature software that is both free and legal
worldwide.

RSA applied for and received a "commodities jurisdiction," or CJ for a
software package called RIPEM/SIG, which was built with RSA Data Security's
RSAREF toolkit, a freeware package. A CJ, which is a ruling that the software
falls under the Commerce Department's jurisdiction as opposed to the State
Department, allows RIPEM to be freely and legally exported.  Further, RSA has
relaxed the use restrictions in its free crypto toolkit. RSAREF, and any
application built with it, may now be used in commercial settings as long as
it is not sold or used to provide a direct for-profit service.

Digital signatures are produced using the RSA cryptosystem, which is a
public-key cryptosystem.  Each user has two keys - one public and one private.
The public key can be disclosed without compromising the private key.  The RSA
cryptosystem was invented and patented in the late 1970's by Drs. Rivest,
Shamir, and Adleman at the Massachusetts Institute of Technology.

Electronic documents can be "signed" with an unforgeable "signature" by using
a document/private-key combination to produce a signature unique to the
author/document.  Anyone, by using only RIPEM and the public key of the
author, can verify the authenticity of the document.

Applications of digital signatures are endless.  One reason that the paperless
office has never materialized is that paper must still be printed so that
handwritten signatures can be applied.  RSAREF and RIPEM solve that problem.
Expense reports, any electronic forms, administrative documents, even tax
returns can be electronically signed to speed electronic document flow and
eliminate fraud.  Information on the Internet can be signed and verified to
prevent spoofing.  Recently, unauthenticated messages at Dartmouth College
caused an important test to be cancelled; messages impersonating faculty were
sent out.

"Data mailed, posted, or put on servers on the Internet is inherently
untrustable today," said Jim Bidzos, president of RSA. "Tampering with
electronic documents takes no special skills, and leaves no trace.  With the
availability of a free, legal, and exportable tool such as RIPEM, there's no
need for such a situation to continue. It can be used by individuals,
corporations, and government agencies at no cost."

In a February 4th announcement, Vice-president Gore stated that the recent
Internet break-ins could have been prevented with digital signatures. "Here
they are," said Bidzos.  Recently, cryptography has caused clashes between
government and industry, over privacy issues, law enforcement concerns, and
export issues.  "The US government has approved this software for export,"
said Bidzos. "Clearly, it's no threat to them. And it's free."

Digital signatures can also be used to detect any virus before a program is
executed, since any change whatsoever is detected.

The RIPEM application was developed using the RSAREF toolkit by Mark Riordan
of Michigan State University. A Macintosh version, developed by Ray Lau of
MIT, the author of the popular "Stufit" program, is also available.  Versions
for DOS, Unix, and all popular platforms are supported. "PEM" stands for
Privacy Enhanced Mail, a published Internet standard for secure electronic
mail.  Other innovative applications can also be built with RSAREF and
distributed at no cost.  The full encryption-capable RIPEM is available only
in the US.

RSA digital signatures are a standard feature of Lotus Notes, the Apple System
7 Pro Operating System, Novell NetWare, Microsoft Windows at Work, Windows NT,
IBM System Security Products, DelRina PerformPro, WordPerfect InForms, SHANA
InFormed, BLOC F3 Forms, Fischer International Workflow, and numerous other
products. Over 3 million commercial products in the market today already use
RSA signatures under license from RSA Data. Other RSA licensees include
General Magic, Hewlett-Packard, Oracle, Unisys, DIgital Equipment Corp,
Motorola, and numerous others.

RSA Data Security, Inc. designs, develops, markets, and supports cryptographic
solutions toolkits and products.  The company was founded by the inventors of
the RSA cryptosystem in 1982 and is headquartered in Redwood City, California.


CERT ADVISORY - MD5 Checksums

CERT Advisory <cert-advisory-request@cert.org>
Fri, 18 Mar 94 16:46:58 EST
CA-94:05                         CERT Advisory
                                 March 18, 1994
                                 MD5 Checksums

This advisory gives the MD5 checksums for a number of SunOS files, along with
a tool for checking them.  The checksums can be used to assure the integrity
of those files.

The CERT Coordination Center is distributing these checksums because of an
increasing number of incidents in which intruders who gain root access are
modifying system files to install Trojan horses.

Moreover, intruders are modifying files so that they have the same checksum as
the original file.  This is possible because the standard "sum" program that
comes with most UNIX systems was designed to detect accidental modifications
to files and is not strong enough to prevent deliberate attempts to yield a
specific checksum.  The MD5 algorithm by RSA Data Security, Inc. is
specifically designed to provide checksums that cannot be deliberately
spoofed.  We strongly recommend that sites install the MD5 software and use it
to validate system software.  More information on obtaining MD5 is given
below.

The list of checksums in Appendix B of this advisory is provided for your
convenience.  In addition, we are providing a program that can assist you in
checking your MD5 output against the values in the database.  This checksum
list is not complete.  We have begun with a number of the more common
locations for Trojan horses that we have seen in connection with the
continuing "sniffer" attacks reported in CA-94:01 "Ongoing Network Monitoring
Attacks."  We intend to work with all vendors to expand this list and make
more MD5 checksums widely available for anonymous FTP.

We encourage sites to consider installing a more complete package for
monitoring system integrity, such as Tripwire from the COAST project
(anonymous FTP on ftp.cs.purdue in "/pub/spaf/COAST/Tripwire") or the TIGER
system from TAMU (anonymous FTP on net.tamu.edu in "pub/security/TAMU").

We will maintain a file, CA-94:05.README, that will contain pointers to
additional databases and other updates as they become available.

  [The entire Advisory is in RISKS-15.67MD5.
  Contact the CERT for further information.  PGN]

Please report problems with the web pages to the maintainer

Top